Blogs

About this blog

Forum for those Learning about Leading IBM Application Security Tricks, Scripts and Tools and Kits for AppScan Source for Analysis ...Customizing, Integrating, Sniffing, Snooping and Hijacking your way to joy.

Tags

The AppScan Appliance – Adding .NET Solution Scanning On Demand

One of the main
advantages of having a full Continuous Integration environment
integrated with the security scanning tools, all running together on
a central server (pronounced “Mainframe”) is the ability for
customization to take place, such as the initial phase of Support
for ASP.NET MVC 3.0 , and immediately be made available to the
entire enterprise.

In this scenario,
a key aspect to take into consideration is the fact that the product
integration, installation of the development / run time
environments and SDKs, as well as the upgrade of various components
that was necessary to perform the investigation, initial prototyping
and testing of this brand new “customer specific” support was all
performed behind the scenes – keeping any dirty laundry hidden
while minimizing the perceived complexity.

As this is a concept in process where the twin objectives are to
generate high confidence results and to

communicate these
to the developer in the most effective and efficient way, this integration is also the chance to

test out a particular
'developer workflow':

For this workflow, the process is as
follows:

→ The creation
of a specific Version Control System (VCS) repository which is to be
used by the development team responsible for the MvcMusicStore
application.

→ Individual
developer can, at any point, check in and build their code and,
trigger a Source-Code-Scan-On-Demand of the application.

→ Once the
check in or commit of the code has taken place, the developer can
watch the build and scanning taking place by logging into a Web
Portal hosted on The AppScan.

→ The results
of the scan are filtered according to the specific security policies
in place, automatically incorporated into a reporting dashboard in
the Web Portal and also made available for download to work with
locally.

As I've become
more familiar with TeamCity Artifacts, setting and using Environment
Variables and Configuration Parameters, my Command Line Interface
(CLI) scripts have evolved to be used in a much more generic manner:

Here we can see the developer, obviously a Mono
Champ to develop C# on a Mac, entering a commit message and syncing.

On the AppScan Appliance side we can see that a build was
triggered and details about the user including the commit message.

Now the developer can log in to the AppScan Web Portal to
view the overall progress of the build.

And can view the details of the build and scan in real
time in the Build Log.

Once the scan finishes, all Build Artifacts, which in
this case include a couple of reports and the assessment file, can be
viewed online or downloaded to be used locally.

Any of the HTML reports that are generated can be added
to the Project Reports page so that the most recent scan results, for
example, are shown.

Here we can notice all the Findings that were
added as a result of the addition of the F4FHandler that was created in order to provide support for the ASP.NET MVC 3.0 Framework.

The ability to perform
involved customization work, adding support for an entirely new
'custom' framework, behind the scenes is certainly a step in the
right direction in terms of reducing complexity for the consumer.

Being able to implement a workflow for the developer to initiate
scans and view / download the results in such a relatively easy
manner seems like a nice testament to the ongoing evolution of this
"Appliance" concept or "The AppScan" as some are
now referring to it.